ICO investigates NHS loss of 8.63m patient records

The Information Commissioner's Office (ICO) has said it is to investigate the alleged loss of an NHS laptop containing sensitive patient records.

According to a report in The Sun, the laptop disappeared from an NHS site three weeks ago. It is said to have contained the unencrypted records of 8.63m people, including details of 18m hospital visits and procedures.

The loss has only just been reported to the police by the NHS.

An ICO spokesperson said: "Any allegation that sensitive personal information has been compromised is concerning, and we will now make enquiries to establish the full facts of this alleged data breach."

Although reluctant to comment on the details of the case, a Department of Health spokesman said: "All NHS organisations are legally required to comply with Data Protection legislation. They are expected to take data loss extremely seriously and be open about incidents and about the action taken as a result.

"Local NHS organisations are responsible for implementing these data handling processes, [deciding] which staff need to have access to health records as well as ensuring compliance with Information Governance standards."

The laptop is understood to be one of a batch of 20 that were lost, eight of which have since been recovered.

The fact that the data on the missing machine was unencrypted has prompted widespread indictment of NHS data protection practices within the security industry.

Jeff Hudson, chief executive of digital certificate management company Venafi, said: "People will lose or have stolen physical items like laptops – that is unavoidable. What is completely avoidable is losing health records. If they were encrypted, they would not be readable by the thief or whoever they ended up with.

"[Encryption] is easy to do; there is excellent technology around to do it. And if it had been done, 8.63m people would be feeling differently today because their private information would not be accessible."